C#: Fix context-sensitive dispatch when using base qualifier

hvitved · hvitved · commit aa3f4e1eca4a · 2025-08-28T13:24:47.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll b/csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll
@@ -270,6 +270,14 @@ private module Internal {
     hasOverrider(t, c)
   }
 
+  /**
+   * For `base` expressions, the extractor provides the type of the base
+   * class instead of the derived class; this predicate provides the latter.
+   */
+  private Type getBaseAdjustedType(BaseAccess base) {
+    result = base.getEnclosingCallable().getDeclaringType()
+  }
+
   abstract private class DispatchOverridableCall extends DispatchCallImpl {
     pragma[noinline]
     OverridableCallable getAStaticTargetExt() {
@@ -360,7 +368,12 @@ private module Internal {
     private predicate contextArgHasType(DispatchCall ctx, Type t, boolean isExact) {
       exists(Expr arg, int i |
         this.relevantContext(ctx, i) and
-        t = getAPossibleType(arg, isExact)
+        (
+          t = getBaseAdjustedType(arg) and isExact = false
+          or
+          not exists(getBaseAdjustedType(arg)) and
+          t = getAPossibleType(arg, isExact)
+        )
       |
         ctx.getArgument(i) = arg
         or
@@ -725,9 +738,7 @@ private module Internal {
 
       Type getType(boolean isExact) {
         result = this.getType() and
-        if
-          this instanceof ObjectCreation or
-          this instanceof BaseAccess
+        if this instanceof ObjectCreation or this instanceof BaseAccess
         then isExact = true
         else isExact = false
       }
diff --git a/csharp/ql/test/library-tests/dataflow/call-sensitivity/CallSensitivityFlow.expected b/csharp/ql/test/library-tests/dataflow/call-sensitivity/CallSensitivityFlow.expected
@@ -60,8 +60,8 @@ edges
 | CallSensitivityFlow.cs:187:17:187:30 | call to method CallMOut : Object | CallSensitivityFlow.cs:187:13:187:13 | access to local variable o : Object | provenance |  |
 | CallSensitivityFlow.cs:205:40:205:40 | o : Object | CallSensitivityFlow.cs:208:18:208:18 | access to parameter o | provenance |  |
 | CallSensitivityFlow.cs:239:35:239:35 | o : Object | CallSensitivityFlow.cs:241:17:241:17 | access to parameter o : Object | provenance |  |
-| CallSensitivityFlow.cs:241:17:241:17 | access to parameter o : Object | CallSensitivityFlow.cs:244:35:244:35 | o : Object | provenance |  |
-| CallSensitivityFlow.cs:244:35:244:35 | o : Object | CallSensitivityFlow.cs:246:14:246:14 | access to parameter o | provenance |  |
+| CallSensitivityFlow.cs:241:17:241:17 | access to parameter o : Object | CallSensitivityFlow.cs:256:36:256:36 | o : Object | provenance |  |
+| CallSensitivityFlow.cs:256:36:256:36 | o : Object | CallSensitivityFlow.cs:258:14:258:14 | access to parameter o | provenance |  |
 | CallSensitivityFlow.cs:263:17:263:28 | object creation of type Object : Object | CallSensitivityFlow.cs:239:35:239:35 | o : Object | provenance |  |
 nodes
 | CallSensitivityFlow.cs:7:38:7:38 | o : Object | semmle.label | o : Object |
@@ -138,8 +138,8 @@ nodes
 | CallSensitivityFlow.cs:208:18:208:18 | access to parameter o | semmle.label | access to parameter o |
 | CallSensitivityFlow.cs:239:35:239:35 | o : Object | semmle.label | o : Object |
 | CallSensitivityFlow.cs:241:17:241:17 | access to parameter o : Object | semmle.label | access to parameter o : Object |
-| CallSensitivityFlow.cs:244:35:244:35 | o : Object | semmle.label | o : Object |
-| CallSensitivityFlow.cs:246:14:246:14 | access to parameter o | semmle.label | access to parameter o |
+| CallSensitivityFlow.cs:256:36:256:36 | o : Object | semmle.label | o : Object |
+| CallSensitivityFlow.cs:258:14:258:14 | access to parameter o | semmle.label | access to parameter o |
 | CallSensitivityFlow.cs:263:17:263:28 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 subpaths
 | CallSensitivityFlow.cs:85:26:85:37 | object creation of type Object : Object | CallSensitivityFlow.cs:7:38:7:38 | o : Object | CallSensitivityFlow.cs:11:20:11:20 | access to parameter o : Object | CallSensitivityFlow.cs:85:14:85:44 | call to method FlowThrough |
@@ -165,4 +165,4 @@ subpaths
 | CallSensitivityFlow.cs:172:37:172:48 | object creation of type Object : Object | CallSensitivityFlow.cs:172:37:172:48 | object creation of type Object : Object | CallSensitivityFlow.cs:188:14:188:14 | access to local variable o | $@ | CallSensitivityFlow.cs:188:14:188:14 | access to local variable o | access to local variable o |
 | CallSensitivityFlow.cs:182:21:182:32 | object creation of type Object : Object | CallSensitivityFlow.cs:182:21:182:32 | object creation of type Object : Object | CallSensitivityFlow.cs:208:18:208:18 | access to parameter o | $@ | CallSensitivityFlow.cs:208:18:208:18 | access to parameter o | access to parameter o |
 | CallSensitivityFlow.cs:185:21:185:32 | object creation of type Object : Object | CallSensitivityFlow.cs:185:21:185:32 | object creation of type Object : Object | CallSensitivityFlow.cs:164:14:164:14 | access to parameter o | $@ | CallSensitivityFlow.cs:164:14:164:14 | access to parameter o | access to parameter o |
-| CallSensitivityFlow.cs:263:17:263:28 | object creation of type Object : Object | CallSensitivityFlow.cs:263:17:263:28 | object creation of type Object : Object | CallSensitivityFlow.cs:246:14:246:14 | access to parameter o | $@ | CallSensitivityFlow.cs:246:14:246:14 | access to parameter o | access to parameter o |
+| CallSensitivityFlow.cs:263:17:263:28 | object creation of type Object : Object | CallSensitivityFlow.cs:263:17:263:28 | object creation of type Object : Object | CallSensitivityFlow.cs:258:14:258:14 | access to parameter o | $@ | CallSensitivityFlow.cs:258:14:258:14 | access to parameter o | access to parameter o |
